Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
  Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://infrive.ru/uplcv?utm_term=directive+principles+in+india

  • http://tunglamgarden.com/images/fck/file/25755773434.pdf
  • http://www.firengo.com/userfiles/files/87375091246.pdf
  • https://southernlightingsource.com/wp-content/plugins/super-forms/uploads/php/files/009d0fd02e433ba6b902765afb99b90b/dosekafurofod.pdf
  • http://commsoft.nu/demo/ktb/wsmbilder/files/91930968959.pdf
  • http://bensonlandscape.com/editorData/file/35917233471.pdf
  • http://friluftsgruppen.se/wp-content/plugins/formcraft/file-upload/server/content/files/160c8b970e95d7---buligixofisiliz.pdf
  • https://atolab.it/wp-content/plugins/super-forms/uploads/php/files/723b6ae9f509caa4865cf9fd6898885f/laduwa.pdf
  • https://xn--1--8kcai1ck2bs.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/224bc9e9c36851f366793bd253f1c4f0/vipuzifajul.pdf
  • http://ropesadventure.com/d/files/17246663056.pdf
  • http://www.nuricomuvakfi.org/wp-content/plugins/super-forms/uploads/php/files/ofg8mejno9r3l8q1n2gqne9nh0/35140431662.pdf
  • https://ludifrance.fr/userfiles/file/zowusigopitaxa.pdf
  • https://sidexsideaudio.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b609d191b88---gijomatejefewovatizorij.pdf
  • http://www.oknookna.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160affc9332d52---sezananukuzekoneser.pdf
  • https://www.tifdip.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607009c746693---gugugawiwete.pdf
  • https://www.lorenzofranzone.it/wp-content/plugins/super-forms/uploads/php/files/641c7fd687c0ba31dc40a39edcd50689/refazexukoxuzodevofopot.pdf
  • http://agcslohian.com/userfiles/file/texikemun.pdf
  • http://lilit-realty.com/wp-content/plugins/super-forms/uploads/php/files/7pqr7od0fm3tr7ksfjn7vk3bt0/giwosikogojur.pdf
  • http://thehawthornnyc.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608975b8e5674---23599668550.pdf
  • https://www.aserspa.net/wp-content/plugins/super-forms/uploads/php/files/8t48u3curo8a3u9ml1i799otfa/sixogunigiso.pdf
  • https://roadtoring.com/wp-content/plugins/super-forms/uploads/php/files/a7d2e4676825410761bb98960d036ff9/6883397380.pdf
  • https://notofthisgalaxy.com/wp-content/plugins/super-forms/uploads/php/files/8950r2rsbt5f1mn1a3uic37jbh/58570863922.pdf
  • http://sxhk365.com/uploads/file///60118227762.pdf
  • https://teenvolunteerhouston.org/wp-content/plugins/super-forms/uploads/php/files/6e33ac1be2575539d1f6730b2b77e980/69004579466.pdf
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.